Paul Gear | 1 Apr 01:28 2008
Picon

Re: Dynamic blacklist specific port, possible?

Tom Eastep wrote:
> Paul Gear wrote:
> 
>>
>> The dynamic blacklist is just a normal table called dynamic.  There is
>> nothing to stop you putting stuff in there manually in a way that suits
>> your needs.  So instead of running
>>     shorewall drop IP
>> you would run
>>      iptables -A dynamic --src IP --proto tcp --dport 22 -j DROP
>> The equivalent of
>>     shorewall allow IP
>> would in this case be
>>     iptables -D dynamic --src IP --proto tcp --dport 22 -j DROP
> 
> Just don't "shorewall save" after you do that because "shorewall
> restore" from that save point will crash.

Another good reason not to do it!  :-)

Paul

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Rhon | 1 Apr 07:23 2008
Picon

Allow Direct Connection from host

Hi,

Is there any way I can allow my internal server to bypass the firewall and have direct connection? I usually do it using this rule:

# Allow this IP to have direct connection
iptables -A FORWARD -i eth0 -d 192.168.1.100/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.100/24 -j ACCEPT

How can I convert it to fit shorewall rules?

TIA

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Thomas Harold | 1 Apr 07:44 2008

Re: Netfilter, libpcap, ntop and promiscuous mode?

Thomas Harold wrote:
> I have a really basic question (I think).  We have two boxes connected 
> to a lan segment on a hub.  One is a Windows box running "Show Traffic", 
> the other is a CentOS 5 Linux box running "ntop".  Both boxes should be 
> able to sniff all of the traffic on that hub (not a switch).
> 
> The Windows box does just fine, Show Traffic is able to display traffic 
> destined for other boxes on the network segment.
> 
> The linux box, OTOH, seems to only see multicast traffic and traffic 
> that is destined for its interface.
> 

The follow-up answer to this issue was that it seems that the Intel 
PRO/1000 dual-port PCIe card does indeed not function correctly in 
promiscuous mode when connected to a 100Mbps hub.  (In this particular 
case, it was hooked to a 10/100 dual-speed hub.  The windows box was 
running a 100Mbps NIC and had no issues capturing all traffic.)

We swapped out the 10/100 dual-speed hub and have installed a 
10/100/1000 switch.  We configured port 1 as our "monitoring" / 
"sniffing" port and told the switch to mirror all inbound/outbound 
traffic to that port.  Our server with the Intel dual-port gigabit PCIe 
NIC is now able to report on all traffic with ntop (and other tools).

Shorewall was not getting in the way at all, it seems to be purely a 
hardware or driver issue under Linux.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep | 1 Apr 07:50 2008
Picon

Re: Allow Direct Connection from host

Rhon wrote:
> Hi,
> 
> Is there any way I can allow my internal server to bypass the firewall 
> and have direct connection? I usually do it using this rule:

You are not "bypassing the firewall"; you are configuring your firewall to 
allow certain traffic.

> 
> # Allow this IP to have direct connection
> iptables -A FORWARD -i eth0 -d 192.168.1.100/24 
> <http://192.168.1.100/24> -j ACCEPT
> iptables -A FORWARD -i eth1 -s 192.168.1.100/24 
> <http://192.168.1.100/24> -j ACCEPT
> 
> How can I convert it to fit shorewall rules?

There is no way to directly convert those rules without more information 
about your setup. When using Shorewall, you must describe your firewall in 
Shorewall terms (zones, policies and rules) rather than in raw iptables 
terms (interfaces and networks).

So if you will tell us about your network topology and Shorewall 
configuration, we can then advise you how to configure Shorewall to obtain 
similar results.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Rhon | 1 Apr 08:39 2008
Picon

Re: Allow Direct Connection from host

Hi Tom,

Thanks for your reply. Here's some of the details of my firewall

/etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect
net     eth1            detect
loc     eth2            detect          dhcp

/etc/shorewall/zones
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
loc     ipv4
net     ipv4

/etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
$FW             net             ACCEPT
loc             net             ACCEPT
loc             fw              ACCEPT
net             all             DROP            info

#THIS LINE MUST BE LAST
all             all             REJECT          info

I want to allow one host to have direct connection to the Internet. How can I possibly do this?

TIA
rhon

On Tue, Apr 1, 2008 at 1:50 PM, Tom Eastep <teastep <at> shorewall.net> wrote:
Rhon wrote:
> Hi,
>
> Is there any way I can allow my internal server to bypass the firewall
> and have direct connection? I usually do it using this rule:

You are not "bypassing the firewall"; you are configuring your firewall to
allow certain traffic.

>
> # Allow this IP to have direct connection
> iptables -A FORWARD -i eth0 -d 192.168.1.100/24
> <http://192.168.1.100/24> -j ACCEPT
> iptables -A FORWARD -i eth1 -s 192.168.1.100/24
> <http://192.168.1.100/24> -j ACCEPT
>
> How can I convert it to fit shorewall rules?

There is no way to directly convert those rules without more information
about your setup. When using Shorewall, you must describe your firewall in
Shorewall terms (zones, policies and rules) rather than in raw iptables
terms (interfaces and networks).

So if you will tell us about your network topology and Shorewall
configuration, we can then advise you how to configure Shorewall to obtain
similar results.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Paul Gear | 1 Apr 12:54 2008
Picon

Re: Allow Direct Connection from host

Rhon wrote:
> Hi Tom,
> 
> Thanks for your reply. Here's some of the details of my firewall
> 
> /etc/shorewall/interfaces
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth0            detect
> net     eth1            detect
> ...
> /etc/shorewall/policy
> #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
> #                                               LEVEL
> ...
> net             all             DROP            info
> ...
> I want to allow one host to have direct connection to the Internet. How
> can I possibly do this?

Based on what you've described, your firewall should already be allowing
this traffic, since eth0 & eth1 are in the same zone (net).  If i
remember correctly there's no restriction on intra-zone traffic, no
matter what the policies are.

Paul

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Hendrickx | 1 Apr 15:06 2008
Picon

shorewall configuration problem

Hi everyone!

I've been setting up a leaf system with shorewall on it, but it doesn't 
really work. I've followed the next steps to configure it:

www.shorewall.net/3.0/NewBridge.html

this with a few modification because both interface are in the local 
network : loc and the idea is to have a server on one side and an 
ordinary computer accessing the server for instance only by port:80
btw : this is only for testing purposes

As attachment I've included the trace..

Greetings

Tom
Attachment (trace.gz): application/x-gzip, 20 KiB
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Re: Netfilter, libpcap, ntop and promiscuous mode?

 >The follow-up answer to this issue was that it seems that the Intel 
PRO/1000 dual-port PCIe card does indeed not function correctly in 
promiscuous mode when connected to a 100Mbps hub.  (In this particular 

One thing to consider is that the traffic on a dual speed hub is actually
segmented (via a switch) so in reality you end up with a 10mb hub, and a
100mb hub, that do not share a collision domain (ie. If you were trying to
sniff 10mb traffic from a 100mb device I think you would have gotten this
same result.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep | 1 Apr 16:13 2008
Picon

Re: shorewall configuration problem

Tom Hendrickx wrote:
> Hi everyone!
> 
> I've been setting up a leaf system with shorewall on it, but it doesn't 
> really work. I've followed the next steps to configure it:
> 
> www.shorewall.net/3.0/NewBridge.html
> 
> this with a few modification because both interface are in the local 
> network : loc and the idea is to have a server on one side and an 
> ordinary computer accessing the server for instance only by port:80
> btw : this is only for testing purposes
> 
> As attachment I've included the trace..

 From the trace:

    ERROR: Invalid zone definition for zone loc

That error means that you are either:

a) trying to define the zone 'loc' in both the /etc/shorewall/interfaces and 
/etc/shorewall/hosts files

	interfaces

	loc	br0	...

	hosts

	loc	br0:192.168.1.0/24	...

or

b) have entries such as follows in /etc/shorewall/hosts:

	loc	br0:0.0.0.0/0
	loc	br0:192.168.1.0/24

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Hendrickx | 1 Apr 16:24 2008
Picon

Re: shorewall configuration problem

Hi,

Citeren Tom Eastep <teastep <at> shorewall.net>:

> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: quoted-printable
>
> Tom Hendrickx wrote:
>> Hi everyone!
>>
>> I've been setting up a leaf system with shorewall on it, but it 
>> doesn't really work. I've followed the next steps to configure it:
>>
>> www.shorewall.net/3.0/NewBridge.html
>>
>> this with a few modification because both interface are in the local 
>> network : loc and the idea is to have a server on one side and an 
>> ordinary computer accessing the server for instance only by port:80
>> btw : this is only for testing purposes
>>
>> As attachment I've included the trace..
>
> From the trace:
>
>    ERROR: Invalid zone definition for zone loc
>
> That error means that you are either:
>
> a) trying to define the zone 'loc' in both the 
> /etc/shorewall/interfaces and /etc/shorewall/hosts files
>
> 	interfaces
>
> 	loc	br0	...
>
> 	hosts
>
> 	loc	br0:192.168.1.0/24	...
>
> or
>
> b) have entries such as follows in /etc/shorewall/hosts:
>
> 	loc	br0:0.0.0.0/0
> 	loc	br0:192.168.1.0/24
>
> -Tom

my entries are almost exactly like in the example 
www.shorewall.net/3.0/NewBridge.html
only in the hosts I've not used any exceptions
and for interfaces I've used standard options out of leaf and followed
www.shorewall.net/SimpleBridge.html

My interfaces file looks like this:
#ZONE   INTERFACE       BROADCAST       OPTIONS                         
         loc    br0              192.168.1.255   
routeback,dhcp,routefilter,norfc1918    #LAST LINE -- ADD YOUR ENTRIES 
BEFORE THIS ONE -- DO NOT REMOVE   and my hosts file like this:
#ZONE   HOST(S)                                 OPTIONS                 
         loc     br0:192.168.1.0/24                                     
                  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO 
NOT REMOVE   thx for the reply!
Tom

> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep <at> shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Gmane